LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-08-2004, 06:15 AM   #1
salparadise
Senior Member
 
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736

Rep: Reputation: 146Reputation: 146
very strange dmesg output


this is the output I get from dmesg

what does it mean?

3.38.113.3 DST=62.30.238.191 LEN=85 TOS=0x00 PREC=0x00 TTL=246 ID=14519 DF PROTO=UDP SPT=53 DPT=1066 LEN=65
DROPPED IN=ppp0 OUT= MAC= SRC=194.117.157.4 DST=62.30.238.191 LEN=105 TOS=0x00 PREC=0x00 TTL=251 ID=65238 DF PROTO=UDP SPT=53 DPT=1059 LEN=85
DROPPED IN=ppp0 OUT= MAC= SRC=193.38.113.3 DST=62.30.238.191 LEN=105 TOS=0x00 PREC=0x00 TTL=246 ID=14520 DF PROTO=UDP SPT=53 DPT=1067 LEN=85
DROPPED IN=ppp0 OUT= MAC= SRC=193.38.113.3 DST=62.30.238.191 LEN=85 TOS=0x00 PREC=0x00 TTL=246 ID=14521 DF PROTO=UDP SPT=53 DPT=1062 LEN=65
DROPPED IN=ppp0 OUT= MAC= SRC=50.26.183.44 DST=62.30.238.191 LEN=438 TOS=0x00 PREC=0x00 TTL=78 ID=63642 DF PROTO=UDP SPT=53 DPT=1026 LEN=418
DROPPED IN=ppp0 OUT= MAC= SRC=216.239.37.147 DST=62.30.238.191 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=64926 PROTO=TCP SPT=80 DPT=1037 SEQ=2538350621 ACK=4238546219 WINDOW=9300 RES=0x00 RST URGP=0
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48371 DF PROTO=TCP SPT=64918 DPT=2593 SEQ=481439646 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48499 DF PROTO=TCP SPT=64918 DPT=2593 SEQ=481439646 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=48708 DF PROTO=TCP SPT=64918 DPT=2593 SEQ=481439646 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.187.244.186 DST=62.30.238.191 LEN=46 TOS=0x00 PREC=0x00 TTL=52 ID=61833 PROTO=UDP SPT=33028 DPT=7818 LEN=26
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15747 DF PROTO=TCP SPT=2700 DPT=2593 SEQ=1820081754 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15752 DF PROTO=TCP SPT=2700 DPT=2593 SEQ=1820081754 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15757 DF PROTO=TCP SPT=2700 DPT=2593 SEQ=1820081754 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.255.26 DST=62.30.238.191 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52962 DF PROTO=TCP SPT=57962 DPT=2593 SEQ=2861498673 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0FDBCFD30000000001030300)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.255.26 DST=62.30.238.191 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52963 DF PROTO=TCP SPT=57962 DPT=2593 SEQ=2861498673 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0FDBD0FF0000000001030300)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.255.26 DST=62.30.238.191 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=52964 DF PROTO=TCP SPT=57962 DPT=2593 SEQ=2861498673 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0FDBD3570000000001030300)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.254.67 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56336 DF PROTO=TCP SPT=3522 DPT=2593 SEQ=304643934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.254.67 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56381 DF PROTO=TCP SPT=3522 DPT=2593 SEQ=304643934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=80.230.254.67 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=56485 DF PROTO=TCP SPT=3522 DPT=2593 SEQ=304643934 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=216.239.59.104 DST=62.30.238.191 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=5345 PROTO=TCP SPT=80 DPT=1040 SEQ=2485671909 ACK=54199685 WINDOW=9300 RES=0x00 RST URGP=0
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16063 DF PROTO=TCP SPT=2752 DPT=2593 SEQ=1870094582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16066 DF PROTO=TCP SPT=2752 DPT=2593 SEQ=1870094582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16070 DF PROTO=TCP SPT=2752 DPT=2593 SEQ=1870094582 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=61475 DF PROTO=TCP SPT=65235 DPT=2593 SEQ=634750401 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=61550 DF PROTO=TCP SPT=65235 DPT=2593 SEQ=634750401 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=24.59.90.12 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=61681 DF PROTO=TCP SPT=65235 DPT=2593 SEQ=634750401 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
DROPPED IN=ppp0 OUT= MAC= SRC=199.71.38.213 DST=62.30.238.191 LEN=681 TOS=0x00 PREC=0x00 TTL=112 ID=10789 PROTO=UDP SPT=20164 DPT=1026 LEN=661
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16263 DF PROTO=TCP SPT=2793 DPT=2593 SEQ=1925532333 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
DROPPED IN=ppp0 OUT= MAC= SRC=217.165.74.215 DST=62.30.238.191 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16266 DF PROTO=TCP SPT=2793 DPT=2593 SEQ=1925532333 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405AC01010402)

it goes on and on like this for ages
I had to cut some out to allow this to be posted

OPT
martian source 213.48.36.32 from 127.0.0.1, on dev ppp0
ll header: 45:00:00:28
martian source 213.48.36.32 from 127.0.0.1, on dev ppp0
ll header: 45:00:00:28
DROPPED IN=ppp0 OUT= MAC= SRC=64.156.39.12 DST=213.48.36.32 LEN=574 TOS=0x00 PREC=0x00 TTL=116 ID=38526 PROTO=UDP SPT=666 DPT=1026 LEN=554
martian source 213.48.36.32 from 127.0.0.1, on dev ppp0
ll header: 45:00:00:28
DROPPED IN=ppp0 OUT= MAC= SRC=146.145.104.180 DST=213.48.36.32 LEN=60 TOS=0x00 PREC=0x00 TTL=113 ID=22776 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=54316
 
Old 04-08-2004, 06:21 AM   #2
iluvatar
Member
 
Registered: Jul 2003
Location: netherlands
Distribution: debian
Posts: 403

Rep: Reputation: 30
somehow the dmesg shows some IP traffic information... do you notify anything strange at boot time? did you do / install / configure something special with your network?

greetz,
-= iluvatar =-

Last edited by iluvatar; 04-08-2004 at 06:24 AM.
 
Old 04-08-2004, 06:33 AM   #3
salparadise
Senior Member
 
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736

Original Poster
Rep: Reputation: 146Reputation: 146
no
boot is normal
no special events at boot time

just a normal, stand alone machine
 
Old 04-08-2004, 06:34 AM   #4
iluvatar
Member
 
Registered: Jul 2003
Location: netherlands
Distribution: debian
Posts: 403

Rep: Reputation: 30
hmm analyzing the log take a look at these rows:

Quote:
DROPPED IN=ppp0 OUT= MAC= SRC=216.239.37.147 DST=62.30.238.191 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=64926 PROTO=TCP SPT=80 DPT=1037 SEQ=2538350621 ACK=4238546219 WINDOW=9300 RES=0x00 RST URGP=0
this means there's an incoming packet from 216.239.37.147 (this seems to be google), the source port is 80 (http) wich is the web server port (looks allright). the destination IP is 62.30.238.191, wich must be yours. the protocol is TCP ofcourse

blablabla etc anyway, it's nothing to worry about, exept for the fact this shouldn't be in your dmesg output (as far as I know). how this is possible I don't know...

greetz,
-= iluvatar =-

ps: nothing wrong, exept the packet is dropped you don't use the internet on that machine? or: can you use it?
 
Old 04-08-2004, 06:47 AM   #5
salparadise
Senior Member
 
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736

Original Poster
Rep: Reputation: 146Reputation: 146
yes I use the internet on it

I have gaurddog installed
could that be it?

maybe gaurddog is dumping it's log into dmesg? (just guessing here)
i noticed this dmesg behaviour first in mandrake 10 (different from 9.2)
 
Old 04-08-2004, 07:11 AM   #6
iluvatar
Member
 
Registered: Jul 2003
Location: netherlands
Distribution: debian
Posts: 403

Rep: Reputation: 30
here I am again... I took a look at the website of guarddog, noticed this:
Quote:
The Log aborted TCP connections (half open scans) check box controls whether TCP connections that are forcefully terminated using a RST packet are logged. A port scanning technique know as "half-open" scanning uses RST packets to quickly abort an half open TCP connection in order to avoid detection. This can be done using nmap's -sS option. By turning this option on you can detect and log when this happens. Unfortunately many web servers like to quickly terminate connections by using a RST packet. This can produce quite a lot of unwanted noise in your system logs. Therefore you may want to turn this option off. Also, this option only has effect when the firewall is used on a Linux kernel 2.4 machine in combination with iptables.
and most of all, this sentence:
Quote:
Unfortunately many web servers like to quickly terminate connections by using a RST packet. This can produce quite a lot of unwanted noise in your system logs.
so webpages you visit use this type of packet to terminate the connection, wich is actually not the way according to the RFC i guess. thats why it comes up in your log. I also read on the site that guarddog dumps its log to the syslog. maybe syslog can be configured to store the guarddog messages to another file, but I haven't completed reading the man-pages

succes,
-= iluvatar =-
 
Old 04-08-2004, 12:34 PM   #7
salparadise
Senior Member
 
Registered: Nov 2002
Location: Birmingham UK
Distribution: Various
Posts: 1,736

Original Poster
Rep: Reputation: 146Reputation: 146
ok

i turned off all logging from guarddog and dmesg now reads ok

many thanks for your help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
dmesg output cranium2004 Linux - Newbie 1 01-27-2005 03:03 AM
Strange dmesg output voyciz Linux - Networking 3 06-08-2004 01:05 PM
please help! error in dmesg output mickey1980 Linux - General 2 06-02-2004 11:23 PM
iptables firewall seems to work but strange output in dmesg. ldp Linux - Networking 3 04-17-2004 03:00 PM
dmesg output safrout Slackware 6 05-18-2003 12:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration